Overview

overview

10

Static

static

3

5374baebb2...95.exe

windows7-x64

10

5374baebb2...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    81s
  • max time network
    111s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/01/2024, 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5374baebb2368c86ec14174dfafd3c95.exe

  • Size

    686KB

  • MD5

    5374baebb2368c86ec14174dfafd3c95

  • SHA1

    e6231ff52c123c47a18936c168e9ee15fbccb156

  • SHA256

    104486dbe85c50d2da27a784ce7095a2f26f12c7ff5087d0d9660ed15985579c

  • SHA512

    4db64c8545fa6eecfb8956eb2da545a108f715e9f7503c83a46ea721bc9318f054e0f9ae3eba0a98fa915ff04bb0f775899bc141e04bb9241167234d02df42f8

  • SSDEEP

    12288:Z9gaVtvsJvAGQFXiAb83nknnB2sGhsZkBPjc0/rTCF+Qx0ULjJSK/MUNFUGhuKkx:Mk6JvAzFXfbqknBlSsZON/r2dx1LjJS7

Score
10/10
modiloadertrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 62 IoCs
  • Checks computer location settings 2 TTPs 62 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 62 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 63 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5374baebb2368c86ec14174dfafd3c95.exe
    "C:\Users\Admin\AppData\Local\Temp\5374baebb2368c86ec14174dfafd3c95.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Users\Admin\AppData\Local\Temp\5374baebb2368c86ec14174dfafd3c95.exe
      C:\Users\Admin\AppData\Local\Temp\5374baebb2368c86ec14174dfafd3c95.exe
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
        "C:\Users\Admin\AppData\Local\Temp\SERVER.EXE"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:3956
        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:3224
          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious use of WriteProcessMemory
              PID:3516
              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in System32 directory
                • Suspicious use of WriteProcessMemory
                PID:4076
                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:3196
                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:764
                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Drops file in System32 directory
                      • Suspicious use of WriteProcessMemory
                      PID:4892
                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:1136
                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Drops file in System32 directory
                          • Suspicious use of WriteProcessMemory
                          PID:1752
                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of WriteProcessMemory
                            PID:3320
                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Suspicious use of WriteProcessMemory
                              PID:2476
                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Drops file in System32 directory
                                • Suspicious use of WriteProcessMemory
                                PID:2624
                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Drops file in System32 directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:4996
                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:4616
                                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Suspicious use of WriteProcessMemory
                                      PID:3768
                                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:2044
                                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:4408
                                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Drops file in System32 directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:3228
                                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              PID:3608
                                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                PID:3712
                                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Drops file in System32 directory
                                                  PID:1220
                                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Drops file in System32 directory
                                                    PID:4692
                                                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      PID:4264
                                                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Drops file in System32 directory
                                                        PID:1600
                                                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          PID:3200
                                                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            PID:3688
                                                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Drops file in System32 directory
                                                              PID:2440
                                                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                31⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Drops file in System32 directory
                                                                PID:808
                                                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Drops file in System32 directory
                                                                  PID:1080
                                                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Drops file in System32 directory
                                                                    PID:4844
                                                                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      • Drops file in System32 directory
                                                                      PID:976
                                                                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                        35⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        • Drops file in System32 directory
                                                                        PID:888
                                                                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Drops file in System32 directory
                                                                          PID:5044
                                                                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                            37⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Drops file in System32 directory
                                                                            PID:1492
                                                                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              • Drops file in System32 directory
                                                                              PID:3436
                                                                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                39⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Drops file in System32 directory
                                                                                PID:1052
                                                                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Drops file in System32 directory
                                                                                  PID:3252
                                                                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                    41⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    • Drops file in System32 directory
                                                                                    PID:2220
                                                                                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Drops file in System32 directory
                                                                                      PID:1884
                                                                                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                        43⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Drops file in System32 directory
                                                                                        PID:1888
                                                                                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Drops file in System32 directory
                                                                                          PID:5104
                                                                                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                            45⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Drops file in System32 directory
                                                                                            PID:1772
                                                                                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Drops file in System32 directory
                                                                                              PID:3584
                                                                                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                47⤵
                                                                                                • Checks computer location settings
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                PID:2792
                                                                                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                  48⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Drops file in System32 directory
                                                                                                  PID:1100
                                                                                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                    49⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Drops file in System32 directory
                                                                                                    PID:5068
                                                                                                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                      50⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Drops file in System32 directory
                                                                                                      PID:4104
                                                                                                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                        51⤵
                                                                                                        • Checks computer location settings
                                                                                                        • Executes dropped EXE
                                                                                                        • Drops file in System32 directory
                                                                                                        PID:2116
                                                                                                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                          52⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Drops file in System32 directory
                                                                                                          PID:4408
                                                                                                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                            53⤵
                                                                                                            • Checks computer location settings
                                                                                                            • Executes dropped EXE
                                                                                                            • Drops file in System32 directory
                                                                                                            PID:2220
                                                                                                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                              54⤵
                                                                                                              • Checks computer location settings
                                                                                                              • Executes dropped EXE
                                                                                                              • Drops file in System32 directory
                                                                                                              PID:3196
                                                                                                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                55⤵
                                                                                                                • Checks computer location settings
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                PID:4172
                                                                                                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                  56⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Drops file in System32 directory
                                                                                                                  PID:760
                                                                                                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                    57⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Drops file in System32 directory
                                                                                                                    PID:888
                                                                                                                    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                      "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                      58⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Drops file in System32 directory
                                                                                                                      PID:3392
                                                                                                                      • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                        "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                        59⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Drops file in System32 directory
                                                                                                                        PID:4116
                                                                                                                        • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                          "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                          60⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Drops file in System32 directory
                                                                                                                          PID:3124
                                                                                                                          • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                            "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                            61⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Drops file in System32 directory
                                                                                                                            PID:5040
                                                                                                                            • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                              "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                              62⤵
                                                                                                                              • Checks computer location settings
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:2116
                                                                                                                              • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                                "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                                63⤵
                                                                                                                                • Checks computer location settings
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Drops file in System32 directory
                                                                                                                                PID:1728
                                                                                                                                • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                                  "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:4076
                                                                                                                                  • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
                                                                                                                                    "C:\Windows\system32\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe"
                                                                                                                                    65⤵
                                                                                                                                      PID:1220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SERVER.EXE
      Filesize

      566KB

      MD5

      18be1f8daf43fe07b67da48ad39f3355

      SHA1

      fc4009078519e61072797e73fdf07d5037da2dc0

      SHA256

      308a4c2c2f1632c2aa2727822623a26fd942a68d25ace3a9fd3de0a0057f1847

      SHA512

      5ea3792d31e321289920d5424f7ea6957fec70354bf2af637c40e8ea7014d543ee4e70470a3895057e54f7c0579e20e5dea4afce73b191d13d4c448dee6adee8

      Download Submit

    • C:\Windows\SysWOW64\QBgSrtcTkpqZ0Foe7xhdWGlX52P\services.exe
      Filesize

      320KB

      MD5

      ac4ef697363c6e4d6a8f92bd22363188

      SHA1

      3159e2f548e842a32ab3c4eaea0d7f426ac4a2a0

      SHA256

      e63ef5ce99b8b8654d2c69ed9ee1a508cf3105ae60fab5e1de567596694f2e96

      SHA512

      30b9536fecfb12ef2c43034ea966dbb0af36bc6340b10395bd572ddd0cefd597fc833d798ff2ab6cdd72093dfaf6ed7ecce93d15800b48f5501d6f8c3139aa7b

      Download Submit

    • memory/760-143-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/764-41-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/808-90-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/888-99-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/888-145-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/976-95-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/976-97-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1052-105-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-108-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1080-92-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1100-127-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1136-45-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1220-75-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1492-103-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1520-0-0x00000000004E0000-0x00000000004E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1520-4-0x0000000010000000-0x00000000100B6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/1568-33-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1568-29-0x0000000002730000-0x0000000002731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1600-82-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1600-80-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1752-47-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1772-121-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1884-115-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/1888-114-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1888-117-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2044-61-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2044-64-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2116-133-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2220-112-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2220-137-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2440-88-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2476-51-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2624-52-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2624-54-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2792-125-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3124-151-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3196-139-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3196-39-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3200-84-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3224-27-0x0000000002730000-0x0000000002731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3224-30-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3228-69-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3252-110-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3320-49-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3392-147-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3436-106-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3516-35-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3516-32-0x00000000023F0000-0x00000000023F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3584-123-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3608-71-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3688-86-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3712-73-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3768-60-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/3956-17-0x00000000020F0000-0x00000000020F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3956-25-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4076-37-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4104-131-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4116-149-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4172-141-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4264-79-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4408-67-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4408-63-0x0000000074A00000-0x0000000074A8D000-memory.dmp

      Filesize

      564KB

      Download

    • memory/4408-65-0x0000000002730000-0x0000000002731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4408-135-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4616-58-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4692-77-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4844-94-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4892-43-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4964-1-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/4964-6-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/4964-3-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/4964-16-0x0000000000400000-0x00000000004A1000-memory.dmp

      Filesize

      644KB

      Download

    • memory/4996-56-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/5044-101-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/5068-129-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/5104-119-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download